Описание
Security update for log4j
This update for log4j fixes the following issue:
- Previously published fixes for log4jshell turned out to be incomplete. Upstream has followed up on the original patch for CVE-2021-44228 with several additional changes (LOG4J2-3198, LOG4J2-3201, LOG4J2-3208, and LOG4J2-3211) that are included in this update. Since the totality of those patches is pretty much equivalent to an update to the latest version of log4j, we did update the package's tarball from version 2.13.0 to 2.16.0 instead of trying to apply those patches to the old version. This change brings in a new dependency on 'jakarta-servlet' and a version update of 'disruptor'. [bsc#1193743, CVE-2021-45046]
This update was imported from SUSE:SLE-15-SP2:Update.
Список пакетов
openSUSE Leap 15.2
Ссылки
- E-Mail link for openSUSE-SU-2021:1601-1
- SUSE Security Ratings
- SUSE Bug 1193743
- SUSE CVE CVE-2021-44228 page
- SUSE CVE CVE-2021-45046 page
Описание
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Затронутые продукты
Ссылки
- CVE-2021-44228
- SUSE Bug 1193611
- SUSE Bug 1193662
- SUSE Bug 1193743
- SUSE Bug 1193795
- SUSE Bug 1194016
- SUSE Bug 1194123
- SUSE Bug 1202994
Описание
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Затронутые продукты
Ссылки
- CVE-2021-45046
- SUSE Bug 1193743